Follow

Failure when using a certificate with a private key in Password Server delegated trust

Issue

Using the PowerShell Module if you try to connect to a certificate that has a Private key you will see an error like below.

PS C:\Windows\system32> Connect-AuthAnvil -PwsDelegatedTrust -OrgId 1 -ServiceUrl https://auth.scorpionlabs.com -ServiceCert "C:\Program Files\Scorpion Software\Modules\AuthAnvilPowerShellModule\ServiceCert.cer" -ClientCert "C:\Program Files\Scorpion Software\Modules\AuthAnvilPowerShellModule\delegated_trust.pfx" -EmailAddress admintech@scorpionlabs.com

WARNING: "C:\Program Files\Scorpion Software\Modules\AuthAnvilPowerShellModule\delegated_trust.pfx" is not a valid file path. 
Connect-AuthAnvil : Cannot process argument transformation on parameter 'ClientCert'. Certificate "C:\Program
Files\Scorpion Software\Modules\AuthAnvilPowerShellModule\delegated_trust.pfx" not found! 
At line:1 char:190 
+ ... r" -ClientCert "C:\Program Files\Scorpion Software\Modules\AuthAnvilPowerShellMo ... 
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
+ CategoryInfo : InvalidData: (:) [Connect-AuthAnvil], ParameterBindingArgumentTransformationException 
+ FullyQualifiedErrorId : ParameterArgumentTransformationError,ScorpionSoftware.AuthAnvil.PowerShellModule.Connect 
AuthAnvilCommand

PS C:\Windows\system32>

 

Cause

The connections in PowerShell is failing because the certificate's private key is protected by a non-blank password.  The private keys for certificate files generated by Password Server itself always have blank passwords, while manually generated ones will typically require a non-blank one, and when specifying a PFX certificate by file-path, the module will always attempt to use a blank password.

  

Resolution 

To resolve this issue we need to configure the connection string with the Thumbprint of the certificate.

We can gather the Certificate Thumbprint by adding the Certificate to the Personal Store. Certificates stored in the Windows Certificate Store don't have passwords to protect their private keys. The following steps will walk you through the process of gathering the Thumbprint.

 

Step 1 Add the Certificate to your Personal Store.

Double click the Certificate 

screena.png

 

This will launch the Import Wizard. If the certificates private key is protected by a password, then you need to specify that password.

screen1.png

Note: You can not change the certificate password here. To change the password here, you’d need to import it (specifying the current password), then export it via the MMC.  In the Certificate Export Wizard, you’d chose to include the private key, then you’d be prompted to specify a password.


Selecting Next will bring us to the option to select the Personal Store.

screen2.png

 

Selecting Next will allow us to complete the import and Finish.

installwiz5.png

This completes the process to of placing the Certificate in the Personal Store.

 

Step 2 Open MMC from the Start Menu.

mmc.png

Select File, Add/Remove Snap-in... then Certificates.

screen3.png

 

Choose My user account so that we can view the Personal Store. Select Add

screen4.png

 

 

We should now see "Certificates  - Current User" selected, Select OK

mmc_addcert3.png

 

We will now be able to select the Personal Certificate Store 

mmc_addcert4.png

Note: Your certificate should now be displayed as the above example in place of "third party".


Double click the Certificate, select Details. We will now be able to see the Thumbprint.

thumbprint.png

Note: When you copy the Thumbprint paste it in Notepad as Windows will add an extra space at the beginning and the end.

 

Using the Thumbprint we can now modify the connection string 

Connect-AuthAnvil -PwsDelegatedTrust -OrgId 1 -ServiceUrl http://auth.scorpionlabs.com -ServiceCert "C:\Program Files\Scorpion Software\Modules\AuthAnvilPowerShellModule\ServiceCert.cer" -ClientCert "9d 51 66 76 a9 c0 85 84 06 eb 73 a8 e2 59 e9 4c 9f 66 87 1a" -emailaddress admintech@scorpionlabs.com

 

At this point you should now be connected. 

 

PowerShell tip.

You can modify the "AuthAnvilPowerShellModule.dll.config" usually located in "C:\Program Files\Scorpion Software\Modules\AuthAnvilPowerShellModule" with the Certificate Path or the Thumbprint so that you do not have to re-enter it each time. 

<?xml version="1.0" encoding="utf-8"?>
<configuration>
<appSettings>
<add key="TFA.ServiceUrl" value="" />
<add key="PWS.ServiceUrl" value="http://auth.scorpionlabs.com" />
<add key="PWS.ClientCert" value="9d 51 66 76 a9 c0 85 84 06 eb 73 a8 e2 59 e9 4c 9f 66 87 1a" />
<add key="PWS.ServiceCert" value="C:\Program Files\Scorpion Software\Modules\AuthAnvilPowerShellModule\ServiceCert.cer" />
<add key="SSO.ServiceUrl" value="" />
</appSettings>
</configuration>

 

For information on how to use the PowerShell Module please see this Article.

For information on working with the Password Server and Delegated Trust please see this Article.

 

Affects

Password Server v2.5 and newer unless otherwise noted. 

 

Questions?

If you have any questions or need some help, we would be happy to assist. Open a case at help.scorpionsoft.com or send an email to support@scorpionsoft.com.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

Powered by Zendesk